A Privacy Impact Assessment (PIA) is a process for identifying and addressing privacy risks associated with the implementation of an administrative practice or information system that collects, uses, discloses, stores or processes identifying personal or health information.
OIPC – Privacy Impact Assessments (PIAs): Frequently Asked Questions (HIA)
Your specific responsibilities depend on the practice setting in which you work, your employer, and your employment agreements.
Does your job description or contract indicate that you are an affiliate of a custodian designated in the Health Information Act or Health Information Regulation?
If you work in a public practice setting (i.e., Acute Care Alberta facility, Covenant Health facility), the organization that you work for is the custodian and will have a Privacy Officer whose role is to prepare and submit PIAs for information technology and information management systems used in the processing, storage, and retrieval of health information within the organization and for the setting’s administrative practices. If you don’t know who the organization’s Privacy Officer is, ask your manager.
If you work in a private practice setting as an employee of a custodian designated under the HIA, and your contract or job description includes language designating you as an affiliate of the custodian, the custodian (with or without the help of the Privacy Officer they designate) has the responsibility to prepare and submit PIAs for information technology and information management systems used in the processing, storage, and retrieval of health information within the practice setting and the setting’s administrative practices.
If your job description or contract does not indicate that you are an affiliate to a custodian designated in the Health Information Act or Health Information Regulation, you are required to prepare and submit a PIA.
If you work in a sole charge practice setting, or in a practice setting where you are the only health-care provider who is a custodian under the HIA, and you have not already completed a PIA for the information systems you employ (EMR, AI Scribe Tool, Virtual Care Platform) or for your administrative practices, you will need to develop a PIA for each system or administrative practice.
If you have previously submitted a PIA for your information systems and administrative practices, you are required to submit an amendment to that existing PIA. The amendment must reflect the change in the legislation that now applies to your practice and your role as a custodian under the HIA. The amendment to the PIA should include updates to key terms used in the PIA (e.g., references to custodians, affiliates and health information as those terms are defined in the Act) and clearly demonstrate how privacy policies and procedures that apply to the information system or administrative practice have been updated to reflect the requirements of the HIA.
The concept of “sharing custodians” has been introduced recently to refer to situations where two or more custodians have custody of the same electronic health information, for example, by virtue of sharing an EMR. If you work in a private group practice setting with other custodians under the HIA, whether those custodians are physiotherapists or members of other health professions, it is possible to submit one PIA for each system on behalf of the group of custodians, provided certain conditions are met.
All the custodians need to be employing the same administrative practices and implementing the same system, policies, and procedures.
Before becoming sharing custodians, (e.g., before starting to share an EMR), the custodians need to complete a PIA and establish policies and procedures. As with all custodians, policies and procedures must address issues of access, correction, amendment, disclosure, and use of health information. In addition to these general requirements, the policies and procedures of sharing custodians need to address:
- The roles and responsibilities of the custodians
- Shared health information custody considerations, including how:
- A sharing custodian can cease to be a sharing custodian (leave a practice)
- Affiliates are identified for each sharing custodian
- The sharing custodian ensures affiliates comply with the HIA, its regulations, and the custodian’s policies and procedures
In this case, all custodians in the practice can sign off on one PIA for the information system or administrative practice. One custodian is designated as the primary contact for the PIA in the event the Office of the Information and Privacy Commissioner needs to follow up about the PIA.
Each custodian remains individually accountable for compliance with the HIA.
If you are already a sharing custodian (i.e., you currently share an EMR with other custodians) you must submit a PIA within two years.
Examples would include the creation of, or changes to, your privacy policies, or if you are adding new custodians to an existing PIA that pertains to a group practice setting as described above.
Other changes to administrative practices that would trigger a PIA amendment would include migrating an EMR from on-site to cloud storage, adding modules or functionality to an existing EMR, or transferring health information from a custodian to a successor custodian (e.g. in the event that a custodian is retiring).
You can check the PIA Registry available on the Office of the Information and Privacy Commissioner’s website to see if a PIA has been submitted for the custodian and information systems that you use.
The PIA is specific to the custodian.
For example, the registry reveals that several custodians have submitted PIAs related to their use of the more common EMRs used by physiotherapists. This does not mean that you are excused from preparing a PIA for the same EMR. The PIA is specific to the information system and to the policies and procedures in use by the custodian who is implementing the information system.
If you have previously submitted a PIA for an information system or administrative practice, you are required to submit a PIA amendment to Alberta’s Privacy Commissioner outlining the changes to your circumstances, policies, procedures, risks and safeguards. See PIA Amendments in Privacy Impact Assessment Requirements (2010) or contact the OIPC for more information.
PIA’s are a requirement under the HIA. Yes, you still need to complete a PIA for your information systems and administrative processes related to the health information in your custody and control.
The requirement to prepare and submit a PIA is separate and distinct from Netcare considerations. Custodians need to prepare and submit PIAs for paper-based practices and administrative processes as well as electronic ones.
If you are pursuing access to Netcare, you will be required to prepare a Netcare-specific PIA as well.
Yes. A PIA needs to be prepared and submitted for each information system or administrative practice that collects, uses, or discloses health information about identifiable individuals.
However, if you are a custodian that has multiple information systems in use, your first PIA should describe your organizational controls (policies and procedures) and the implementation details related to the main system. Each subsequent PIA submitted for other information systems does not need to include your organizational controls (policies and procedures), if the controls described in the first PIA have not changed. When submitting subsequent PIAs, reference the previously submitted PIA, using the file name assigned by the OIPC.
OIPC resources
- Privacy Impact Assessment Requirements Guide (2010) https://oipc.ab.ca/wp-content/uploads/2022/03/PIA-Requirements-2010.pdf
- PIA FAQs https://oipc.ab.ca/resource/privacy-impact-assessments-frequently-asked-questions/
- Government of Alberta HIA Resources (available late June 2026).
